A clever virus that automatically updates itself from the Internet is circulating disguised as a year 2000 problem fix, according to the Symantec AntiVirus Research Center in Santa Monica, Calif.
Known as W95.Babylonia, the virus affects Windows 95 and 98 users. It’s unique because it has the ability to wait for an Internet connectiUS group called Source of Kaos, according to Trend Micro.
The unique design of the Babylonia virus allowed virus writers to centrally update it to defeat attempts to block it. It could also send a custom payload to infected computers based on user information sent back to the virus creator. The virus automatically sends an e-mail to firstname.lastname@example.org to track infected computers and gather data, Symantec said.
“It’s very scary,” said Jeffrey Baker, a network manager at telecommunications gear maker Harris Corp. in Melbourne, Fla. “What we have seen in the past is that viruses can spawn themselves and move around a company and delete data off a [shared network]. Now they can gather stuff off remote servers and start copying your data or start looking for specific things in your environment.”
W95.Babylonia propagates using Windows-based Microsoft Internet Relay Chat (MIRC) software. When an infected user logs on to MIRC, the program automatically sends the virus to everyone within the same MIRC chat room, appearing as a Y2K bug fix. When the file is executed, it infects other 32-bit .exe program files and Windows Help files.
The virus can also be sent as an e-mail attachment and launched when the attachment is opened. The virus can spread itself through a network quickly via shared network drives, Symantec said.
Symantec suggests companies configure their firewall software to block unauthorized connections to external Web sites. As always, users should also keep their virus definitions updated, be wary of opening unknown executables and verify suspicious e-mail, Symantec said.
Baker said companies need to examine data that comes into the network via e-mail, Web traffic, Java executables on client machines and even through Sendmail servers on Unix clients. Companies can deploy virus updates with digital audio tapes (DAT), but users are still able to download viruses from the Web and execute them on local, unprotected machines.
Harris Corp. has set up an effective antivirus strategy with the help of Santa Clara, Calif.-based Network Associates Inc.’s Prime Support service, Baker said. The service provides DAT updates that can be loaded directly onto production machines.